SEC quietly updates regulations! Goldman Sachs and Morgan Stanley can claim "control" over user private keys

The U.S. Securities and Exchange Commission (SEC) quietly updated its Frequently Asked Questions on crypto assets on December 17, clarifying how broker-dealers like Morgan Stanley, Goldman Sachs, and others can meet custody and capital requirements for crypto asset securities. The key change is that broker-dealers can assert “control” over client crypto assets through a “qualified control location” and written instructions, without actually holding private keys. SEC staff also withdrew reliance on the safe harbor for Special Purpose Broker-Dealers (SPBD).

From Actual Holding to Written Control: A Regulatory Revolution

(Source: SEC)

The core of this update is shifting the definition of “control” from “actual possession of private keys” to “demonstrated control through contractual and procedural means.” For crypto asset securities, staff stated that even if the instrument is uncertificated, broker-dealers can establish “control” by using a qualified control location under Rule 15c3-3©. This seemingly technical adjustment fundamentally changes the nature of custody.

In traditional crypto philosophy, “Not your keys, not your coins” is an ironclad rule. But SEC’s new regulation allows broker-dealers to claim control via methods such as: keys stored in Hardware Security Modules (HSMs), bank-controlled locations with written instructions, or broker-dealer signatures and procedures designed to meet multi-signature arrangements that satisfy control location expectations.

What does this mean? In practice, firms like Morgan Stanley or Goldman Sachs can sign agreements with a bank or custodian stating “we have the authority to instruct the transfer of client crypto assets,” without actually holding private keys. As long as the contractual language, internal procedures, and audit trail meet SEC requirements, the “control” standard is satisfied.

Three Modes of Private Key Control Under the New SEC Regulation

Self-Custody Model: Broker-dealer directly controls private keys (HSM or multi-signature), providing direct evidence aligned with 15c3-3©, but bears network control and insurance risks.

Bank Sub-Custody Model: Bank holds private keys at a control location, with broker-dealer having instruction rights via contract; familiar custody scope but contractual terms must demonstrate control capability.

Smart Contract Custody Model: Multi-signature arrangements between broker-dealer and transfer agent, programmable control, but how the review team tests “control” remains unclear.

This shift emphasizes contractual language, key governance, and audit trails capable of demonstrating long-term control. Summaries from law firms like Sullivan & Cromwell and Sidley Austin highlight that staff’s approach broadens the ways ordinary broker-dealers can prove control without relying on the SPBD status as a default.

The Far-Reaching Impact of the SPBD Safe Harbor Withdrawal

Staff indicated that this approach reduces reliance on the SPBD safe harbor, which was previously the main way to demonstrate control over securities. SPBD is a regulatory framework designed specifically for digital asset custody, requiring strict standards including independent capital requirements, dedicated risk controls, and regular inspections.

Removing SPBD as a necessary pathway appears to lower the barrier for broker-dealers to enter crypto custody, but in reality, it creates a larger gray area. Under the SPBD framework, rules are clear and strict, with well-understood standards for broker-dealers and regulators. Now, “control” proof becomes an art of “contract language” and “internal procedures,” with significantly increased interpretive flexibility.

The 2019 joint statement by SEC and FINRA on broker-dealer custody of digital securities has been marked as withdrawn on the SEC’s withdrawal page, and FINRA issued a similar notice. That 2019 statement was once the industry’s “North Star,” providing clear compliance guidance. Its withdrawal narrows the “North Star” for broker-dealer custody to the FAQ framework, which is far less legally binding than a formal statement.

The timing of this withdrawal is noteworthy. The Trump administration promoted crypto-friendly policies, SEC Chair was replaced by Paul Atkins, and the Federal Reserve withdrew its 2023 policy restricting banks from crypto activities. All these moves aim to “lower barriers and encourage participation.” But what is the cost of lowering barriers? Possibly a decline in customer protection levels.

Protection Vacuum for Non-Security Cryptocurrencies

For non-security cryptocurrencies, staff reaffirmed that Rule 15c3-3(b) “possession or control” does not apply, thus excluding non-security crypto assets from the customer protection rules that govern securities custody. This is a critically important but easily overlooked point: when you store Bitcoin or Ethereum in Morgan Stanley’s crypto custody service, they are not protected by traditional securities custody customer protection rules.

Traditional securities custody requires strict segregation, with broker-dealers required to keep client assets separate from their own, and client assets not to be liquidated in case of broker-dealer bankruptcy. Non-security cryptocurrencies are excluded from these protections. If a broker-dealer goes bankrupt or is hacked, clients may face asset losses with no recourse.

The December 17 update clarifies the boundary for retail-facing firms, which still need to explicitly disclose which protections apply and which do not. But how many retail investors will read these disclosures carefully? Most will see “Morgan Stanley custody” and assume bank-level protection, which may be entirely untrue.

SEC Commissioner Hester Peirce described the staff FAQ as incremental, noting that the guidance can reduce friction for market participants trying to incorporate on-chain activities into existing rules. This official statement emphasizes “reducing friction” and “encouraging participation,” but downplays the potential weakening of customer protections.

For broker-dealers relying on bank sub-custody as a control location, the Federal Reserve’s withdrawal of a prior supervisory letter issued on April 24, 2025, regarding certain crypto assets, shifts bank involvement toward more routine regulatory channels. This change shortens the pathway from concept to regulatory dialogue with banks, making it easier for Wall Street banks to enter the crypto custody market.

Broker-dealers will still need to demonstrate control and record-keeping in a manner that can be tested by examiners. Over the next 12 to 18 months, custody markets may cluster around structures capable of producing repeatable control evidence while managing network and operational risks. The key question is: who will define the standards for “repeatable control evidence”? Until standards are clarified, client assets may be at significant risk of underestimation.